Evan Brown's blog about law, technology and culture

Menu

Do certain mobile apps violate the Computer Fraud and Abuse Act?

[This is a guest post by attorney Caroline Belich. Caroline is a Chicago native, former Michigan State volleyball player, and recent admitee to the California bar with particular interest in the First Amendment.]

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030). The CFAA is a federal statute that is often used against hackers. Applying this rationale here, federal prosecutors may argue that the app makers essentially hacked users cellphones.

However, some legal experts believe that criminal charges against the app makers are unlikely. Supporting this belief is the fact that many criminal charges against companies result in non-prosecution or deferred prosecution agreements in exchange for concessions of wrongdoing or monetary payments.

But while criminal charges are doubtful, civil lawsuits by users and causes of action brought by the Federal Trade Commission (FTC) may not be. First, consumers may sue app makers for failure to notify under privacy rights claims. Second, the FTC could allege unfair and deceptive trade practices by makers for failure to inform users how their personal information is being employed. Recently, Google settled with the FTC regarding its social network, Buzz, where allegations were made about violations of users’ privacy.

In light of the potential for privacy rights violations and deceptive trade practices, the FTC has advocated a “Do Not Track” option for web browsers and cellphone users, similar to the “Do Not Call” list for telemarketing. But app makers strongly oppose this idea, of course, for various reason. First, it could obstruct their ability to collect data about their users’ utilization of their product. Second, the option could frustrate financial opportunities with third parties seeking the invaluable consumer statistics. And the third justification is best depicted by Facebook’s privacy policy – while a user may be giving away his own information, he’s not giving away that of his friends… as long as his friends haven’t shared the info with “everyone.”

So even if these criminal investigations do not come to fruition, at least the possibility is making the public aware of their rights involving smartphone products so that industry standards may be created or laws requiring notification may be made.

Monday popular online music streaming service Pandora Media Inc said it received a subpoena in early 2011 relating to a federal grand-jury investigation into the possible illegal collection and transmission of private data by mobile applications. Pandora made the disclosure during an updated Securities and Exchange Commission (SEC) filing of its plans for an initial public stock offering.

According to Pandora, the Oakland, California-based company isn't specifically targeted in the investigation. Rather, federal prosecutors have issued subpoenas "on an industry-wide basis to the publishers of numerous other smartphone applications." The criminal investigation is looking into whether app developers like Pandora are fully disclosing the types of data collected and why the data is actually needed.

I have been trying to acces this site for a while. I was using Chrome then when I tried Safari, it worked just great? Just wanted to bring this to your attention. This is really good website. I have a few myself. I really admire your design. I know this is off topic but,did you make this layout yourself,or purchase from somewhere?

Evan Brown is an attorney in Chicago helping businesses and individuals identify and manage issues dealing with technology development, copyright, trademarks, domain names, software licensing, service agreements and other matters involving the internet and new media.

Evan is a partner in the law firm of Much Shelist, P.C. He is an adjunct professor of law at Chicago-Kent College of Law, and is a Domain Name Panelist with the World Intellectual Property Organization (WIPO).